←back to thread

How the Zoom macOS installer does its job without you clicking ‘install’

(twitter.com)
796 points _Microft | 2 comments | 31 Mar 20 11:41 UTC | HN request time: 0.014s | source
Show context
manigandham ◴[31 Mar 20 14:48 UTC] No.22738023[source]
1) If Zoom can do this then it's a MacOS security bug.

2) UX matters. Users don't care about the technical details, they want a smooth experience and that can be the difference between a billion-dollar business or a failed startup. And yes the desktop version is more stable than the web-based UI.

3) Malware is defined by what it does, not how it's installed.

replies(3): >>22738241 #>>22738342 #>>22741312 #
Gaelan ◴[31 Mar 20 15:19 UTC] No.22738342[source]
I mean, it's not really a security bug. Installer.app displays a dialog box that says "Hey, this package wants to run arbitrary code to check if it's compatible with your system. Is that OK?" The user is explicitly opting into the code execution. Zoom's "compatibility check" installs the app and kills the installer window. That's certainly unexpected behavior, but I don't think it's an exploit in any real sense.

While normally I'd object to running arbitrary code with just an easily-skippable dialog as confirmation, but I think it's OK in this case where the expectation was that we're installing their software anyway.

replies(3): >>22738808 #>>22742516 #>>22742693 #
1. etaioinshrdlu ◴[31 Mar 20 20:59 UTC] No.22742516[source]
It's really Apple's fault. "This package will run a program to determine if the software can be installed." Is just fundamentally a very strange statement to make, loaded with vagueness.

Think about your average user... they are running an installer program... which alerts them that they need to run another program... to determine if they can install the program.... (Which the user thought they were already doing)

The loaded expectation of the user to realize they are granting privileges to a program to determine whether they can install a program is just totally unreasonable.

It just sounds more and more ridiculous written out like this.

replies(1): >>22744086 #
2. Smoosh ◴[31 Mar 20 23:46 UTC] No.22744086[source]
On top of this, a standard install asks for permissions, but doesn't disclose who/what is asking for it (certified in some way) or what permissions it wants, if these are temporary for the install or permanent for the application, or what it is going to do during the install (what goes where, what gets changed etc).

It is long past time for Apple to improve this process.